Answer to StoM Scan 25

Tools

Analysis Methodology

Verification of the source

After downloaded the “.unlock” from the honeypot challenge
web page, we immediately verified the MD5 checksum of the “.unlock” against the
value in honeynet web page..

C:\>md5sum .unlock

a03b5be9264651ab30f2223592befb42 *.unlock

Afterwards, we performed the file type analysis. >From that
results, we confirmed that the “.unlock” file is a .tgz file.

By looking directly into the Modified Access and Created
time, we confirmed that the file was created at 18:59 20-Sep-2002

Within the tgz file, after we uncompress the file, there
are two C files inside – the .unlock.c and .update.c files. These two files
were created at 21:28 20-Sep-2002 and 05:57 20-Sep-2002 respectively.

From the comments in the two files, we identified that
there were two names in .unlock.c file – [email protected]
and [email protected]. It was mentioned that the
code on .unlock file was modified by aion and .update.c file was created by
aion.

In a C program, the first argument in a program is denoted
by argv[0] which means the file name location. From the .update.c file, argv[0]
was found to be string copied from PSNAME which is defined in #define
definition as
“update“. While the .unlock file name
was defined as “httpd “

According to the .unlock source code, the compiled
worm will copy itself to the infected host by sending through the Uuencode
written in the .unlock.ccontent of the
worm to /tmp/.unlock.uu.

From these files, it was found that when the virus
identified the target, it will decode itself back. The uudecoded files include
two C files (.unlock.c and .update.c). It will then be compiled further to
httpd and update files located in /tmp

The following files would be created first in the
infected host:

·Total files created in the infested host:

a./tmp/.unlock.uu

b./tmp/.unlock

c./tmp/.unlock.c

d./tmp/.update.c

e./tmp/httpd

f./tmp/update

·Afterwards, other files will be requested to perform further
actions. While the following files will be removed:

a./tmp/.unlock.uu

b./tmp/.unlock.c

c./tmp/.update.c

d./tmp/httpd

e./tmp/update

·Remains after execute:

/tmp/.unlock

Based on the #define SCANPORT information, it is
found that the port scanned by the worm is on port 80

According to the written code, we confirmed that
the worm’s target is Linux based Apache Server with SSL support. It will attack
at the target machines via the SSL Buffer overflow vulnerability.

When the worm successfully attacked the target, it
will collect the identifier of the machine, IP address together with the host
name of the machine. This information will be sent to the author of this
program [email protected]” via mail server freemail.ukr.net.

According to the code, it is determined that the
worm will communicate with other worms located in other infected machines via
UDP port 80.

The worm will further affect the network by
flooding the network with one of the following methods

·UDP flood

·TCP flood

·Ipv6 TCP flood

1.DNS flood

By further identifying
the information on the program, it is found that the backdoor created by the
worm will be located on port TCP 1052. It will interact with the client if
password is entered “aion1981”.

Once executed, the port
will listen to request for 10 seconds in every 5 minutes. If no request has
been given to the system port, the opened backdoor ports will be closed to
reduce the chance of being detected.

This is identified in the
SLEEPTIME variable. It means that the sleep time of the backdoor would be
controlling the timeout of the backdoor port. From the UPTIME counter, it is
opposite counter which holds the time that backdoor is listening to the
backdoor port.

Answers to the questions

1.The
.unlock file is a standard .tgz file. It is created at 18:59 20-Sep-2002

2.The
name of the author is called aion (with email address “[email protected]”). As we
can look the time stamp of each file in the tar file. The source files
“.unlock.c”, was created at 21:28 20-Sep2002 and “.update.c” was created at
05:57 20-Sep 2002. The .unlock.c didn’t compatible with the time stamp of the
.tgz file as the .unlock.c is newer than the .tgz. One possible case for this
is that the time zone of the hacker and the victim doesn’t match. In POSIX file
system, the timestamp is calculated from the difference of millisecond to the
base line time (1st Jan, 1970, GMT+0). It is likely that the
.unlock.c file may be compiled and created from different machines.

3.From
the program, it is found that PSNAME symbolized the initiation program name.
The process of the worm will be“update“and “httpd “ (defined
in the definition “PSNAME”)

4.From the identified attack methodThe worm copy itself to the
infested host by sending UUEncoded text of itself to /tmp/.unlock.uu. After
that it decode the file by using command “uudecode -o /tmp/.unlock
/tmp/.unlock.uu”. Then it will untar the decoded file which will extract the
two source files:

a..unlock.c

b..update.c

With these two source files, the
worm will try to compile it and generates two executables

a./tmp/httpd

b./tmp/update

Total files created in the
infected host:

a./tmp/.unlock.uu

b./tmp/.unlock

c./tmp/.unlock.c

d./tmp/.update.c

e./tmp/httpd

f./tmp/update

Removed:

/tmp/.unlock.uu

/tmp/.unlock.c

/tmp/.update.c

/tmp/httpd

/tmp/update

Remains after execute:

/tmp/.unlock

5.Port 80 is scanned by the worm (It is defined by the #define
definition “SCANPORT”)

6.The worm tries to exploit the apache SSL buffer overflow
exploit. Architecture, Apache version, <offset>, do not need to be mentioned.
The following shows the version of the

{"Gentoo", "",
0x08086c34},

{"Debian",
"1.3.26", 0x080863cc},

{"Red-Hat",
"1.3.6", 0x080707ec},

{"Red-Hat",
"1.3.9", 0x0808ccc4},

{"Red-Hat",
"1.3.12", 0x0808f614},

{"Red-Hat",
"1.3.12", 0x0809251c},

{"Red-Hat",
"1.3.19", 0x0809af8c},

{"Red-Hat",
"1.3.20", 0x080994d4},

{"Red-Hat",
"1.3.26", 0x08161c14},

{"Red-Hat",
"1.3.23", 0x0808528c},

{"Red-Hat",
"1.3.22", 0x0808400c},

{"SuSE",
"1.3.12", 0x0809f54c},

{"SuSE",
"1.3.17", 0x08099984},

{"SuSE",
"1.3.19", 0x08099ec8},

{"SuSE",
"1.3.20", 0x08099da8},

{"SuSE",
"1.3.23", 0x08086168},

{"SuSE",
"1.3.23", 0x080861c8},

{"Mandrake",
"1.3.14", 0x0809d6c4},

{"Mandrake",
"1.3.19", 0x0809ea98},

{"Mandrake",
"1.3.20", 0x0809e97c},

{"Mandrake",
"1.3.23", 0x08086580},

{"Slackware",
"1.3.26", 0x083d37fc},

{"Slackware",
"1.3.26",0x080b2100}

7.Three pieces of info of the infected host will be send to
the worm author:

9.For network bandwidth flooding attack, the worm can perform
one of the following once command is received:

a.UDP flood

b.TCP flood

c.Ipv6 TCP flood

d.DNS flood

10.It is a backdoor program that will bind a shell to port 1052
and it is protected with password “aion1981”. Once executed, it will listen to
the port for 10 seconds for every 5 minutes and then shutdown the port in order
to reduce the chance of being detected.

11.Bonus: The SLEEPTIME variable is used as counter for the
sleep time of the backdoor. The main purpose to sleep is to suspend the
backdoor from listening to the port. Doing so can reduce the chance of being
detected by listing open port when using “netstat”. The UPTIME counter is used
to limit the time that the backdoor is listening to the backdoor port.